# -*- coding: utf-8 -*-
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
from __future__ import annotations

from typing import MutableMapping, MutableSequence

from google.protobuf import timestamp_pb2  # type: ignore
import proto  # type: ignore

__protobuf__ = proto.module(
    package="google.cloud.osconfig.v1",
    manifest={
        "VulnerabilityReport",
        "GetVulnerabilityReportRequest",
        "ListVulnerabilityReportsRequest",
        "ListVulnerabilityReportsResponse",
        "CVSSv3",
    },
)


class VulnerabilityReport(proto.Message):
    r"""This API resource represents the vulnerability report for a
    specified Compute Engine virtual machine (VM) instance at a given
    point in time.

    For more information, see `Vulnerability
    reports <https://cloud.google.com/compute/docs/instances/os-inventory-management#vulnerability-reports>`__.

    Attributes:
        name (str):
            Output only. The ``vulnerabilityReport`` API resource name.

            Format:
            ``projects/{project_number}/locations/{location}/instances/{instance_id}/vulnerabilityReport``
        vulnerabilities (MutableSequence[google.cloud.osconfig_v1.types.VulnerabilityReport.Vulnerability]):
            Output only. List of vulnerabilities
            affecting the VM.
        update_time (google.protobuf.timestamp_pb2.Timestamp):
            Output only. The timestamp for when the last
            vulnerability report was generated for the VM.
        highest_upgradable_cve_severity (google.cloud.osconfig_v1.types.VulnerabilityReport.VulnerabilitySeverityLevel):
            Output only. Highest level of severity among
            all the upgradable vulnerabilities with CVEs
            attached.
    """

    class VulnerabilitySeverityLevel(proto.Enum):
        r"""Severity levels for vulnerabilities.

        Values:
            VULNERABILITY_SEVERITY_LEVEL_UNSPECIFIED (0):
                Default SeverityLevel. This value is unused.
            NONE (1):
                Vulnerability has no severity level.
            MINIMAL (2):
                Vulnerability severity level is minimal. This
                is level below the low severity level.
            LOW (3):
                Vulnerability severity level is low. This is
                level below the medium severity level.
            MEDIUM (4):
                Vulnerability severity level is medium. This
                is level below the high severity level.
            HIGH (5):
                Vulnerability severity level is high. This is
                level below the critical severity level.
            CRITICAL (6):
                Vulnerability severity level is critical.
                This is the highest severity level.
        """
        VULNERABILITY_SEVERITY_LEVEL_UNSPECIFIED = 0
        NONE = 1
        MINIMAL = 2
        LOW = 3
        MEDIUM = 4
        HIGH = 5
        CRITICAL = 6

    class Vulnerability(proto.Message):
        r"""A vulnerability affecting the VM instance.

        Attributes:
            details (google.cloud.osconfig_v1.types.VulnerabilityReport.Vulnerability.Details):
                Contains metadata as per the upstream feed of
                the operating system and NVD.
            installed_inventory_item_ids (MutableSequence[str]):
                Corresponds to the ``INSTALLED_PACKAGE`` inventory item on
                the VM. This field displays the inventory items affected by
                this vulnerability. If the vulnerability report was not
                updated after the VM inventory update, these values might
                not display in VM inventory. For some distros, this field
                may be empty.
            available_inventory_item_ids (MutableSequence[str]):
                Corresponds to the ``AVAILABLE_PACKAGE`` inventory item on
                the VM. If the vulnerability report was not updated after
                the VM inventory update, these values might not display in
                VM inventory. If there is no available fix, the field is
                empty. The ``inventory_item`` value specifies the latest
                ``SoftwarePackage`` available to the VM that fixes the
                vulnerability.
            create_time (google.protobuf.timestamp_pb2.Timestamp):
                The timestamp for when the vulnerability was
                first detected.
            update_time (google.protobuf.timestamp_pb2.Timestamp):
                The timestamp for when the vulnerability was
                last modified.
            items (MutableSequence[google.cloud.osconfig_v1.types.VulnerabilityReport.Vulnerability.Item]):
                List of items affected by the vulnerability.
        """

        class Details(proto.Message):
            r"""Contains metadata information for the vulnerability. This
            information is collected from the upstream feed of the operating
            system.

            Attributes:
                cve (str):
                    The CVE of the vulnerability. CVE cannot be
                    empty and the combination of <cve,
                    classification> should be unique across
                    vulnerabilities for a VM.
                cvss_v2_score (float):
                    The CVSS V2 score of this vulnerability. CVSS
                    V2 score is on a scale of 0 - 10 where 0
                    indicates low severity and 10 indicates high
                    severity.
                cvss_v3 (google.cloud.osconfig_v1.types.CVSSv3):
                    The full description of the CVSSv3 for this
                    vulnerability from NVD.
                severity (str):
                    Assigned severity/impact ranking from the
                    distro.
                description (str):
                    The note or description describing the
                    vulnerability from the distro.
                references (MutableSequence[google.cloud.osconfig_v1.types.VulnerabilityReport.Vulnerability.Details.Reference]):
                    Corresponds to the references attached to the
                    ``VulnerabilityDetails``.
            """

            class Reference(proto.Message):
                r"""A reference for this vulnerability.

                Attributes:
                    url (str):
                        The url of the reference.
                    source (str):
                        The source of the reference e.g. NVD.
                """

                url: str = proto.Field(
                    proto.STRING,
                    number=1,
                )
                source: str = proto.Field(
                    proto.STRING,
                    number=2,
                )

            cve: str = proto.Field(
                proto.STRING,
                number=1,
            )
            cvss_v2_score: float = proto.Field(
                proto.FLOAT,
                number=2,
            )
            cvss_v3: "CVSSv3" = proto.Field(
                proto.MESSAGE,
                number=3,
                message="CVSSv3",
            )
            severity: str = proto.Field(
                proto.STRING,
                number=4,
            )
            description: str = proto.Field(
                proto.STRING,
                number=5,
            )
            references: MutableSequence[
                "VulnerabilityReport.Vulnerability.Details.Reference"
            ] = proto.RepeatedField(
                proto.MESSAGE,
                number=6,
                message="VulnerabilityReport.Vulnerability.Details.Reference",
            )

        class Item(proto.Message):
            r"""OS inventory item that is affected by a vulnerability or
            fixed as a result of a vulnerability.

            Attributes:
                installed_inventory_item_id (str):
                    Corresponds to the ``INSTALLED_PACKAGE`` inventory item on
                    the VM. This field displays the inventory items affected by
                    this vulnerability. If the vulnerability report was not
                    updated after the VM inventory update, these values might
                    not display in VM inventory. For some operating systems,
                    this field might be empty.
                available_inventory_item_id (str):
                    Corresponds to the ``AVAILABLE_PACKAGE`` inventory item on
                    the VM. If the vulnerability report was not updated after
                    the VM inventory update, these values might not display in
                    VM inventory. If there is no available fix, the field is
                    empty. The ``inventory_item`` value specifies the latest
                    ``SoftwarePackage`` available to the VM that fixes the
                    vulnerability.
                fixed_cpe_uri (str):
                    The recommended `CPE
                    URI <https://cpe.mitre.org/specification/>`__ update that
                    contains a fix for this vulnerability.
                upstream_fix (str):
                    The upstream OS patch, packages or KB that
                    fixes the vulnerability.
            """

            installed_inventory_item_id: str = proto.Field(
                proto.STRING,
                number=1,
            )
            available_inventory_item_id: str = proto.Field(
                proto.STRING,
                number=2,
            )
            fixed_cpe_uri: str = proto.Field(
                proto.STRING,
                number=3,
            )
            upstream_fix: str = proto.Field(
                proto.STRING,
                number=4,
            )

        details: "VulnerabilityReport.Vulnerability.Details" = proto.Field(
            proto.MESSAGE,
            number=1,
            message="VulnerabilityReport.Vulnerability.Details",
        )
        installed_inventory_item_ids: MutableSequence[str] = proto.RepeatedField(
            proto.STRING,
            number=2,
        )
        available_inventory_item_ids: MutableSequence[str] = proto.RepeatedField(
            proto.STRING,
            number=3,
        )
        create_time: timestamp_pb2.Timestamp = proto.Field(
            proto.MESSAGE,
            number=4,
            message=timestamp_pb2.Timestamp,
        )
        update_time: timestamp_pb2.Timestamp = proto.Field(
            proto.MESSAGE,
            number=5,
            message=timestamp_pb2.Timestamp,
        )
        items: MutableSequence[
            "VulnerabilityReport.Vulnerability.Item"
        ] = proto.RepeatedField(
            proto.MESSAGE,
            number=6,
            message="VulnerabilityReport.Vulnerability.Item",
        )

    name: str = proto.Field(
        proto.STRING,
        number=1,
    )
    vulnerabilities: MutableSequence[Vulnerability] = proto.RepeatedField(
        proto.MESSAGE,
        number=2,
        message=Vulnerability,
    )
    update_time: timestamp_pb2.Timestamp = proto.Field(
        proto.MESSAGE,
        number=3,
        message=timestamp_pb2.Timestamp,
    )
    highest_upgradable_cve_severity: VulnerabilitySeverityLevel = proto.Field(
        proto.ENUM,
        number=4,
        enum=VulnerabilitySeverityLevel,
    )


class GetVulnerabilityReportRequest(proto.Message):
    r"""A request message for getting the vulnerability report for
    the specified VM.

    Attributes:
        name (str):
            Required. API resource name for vulnerability resource.

            Format:
            ``projects/{project}/locations/{location}/instances/{instance}/vulnerabilityReport``

            For ``{project}``, either ``project-number`` or
            ``project-id`` can be provided. For ``{instance}``, either
            Compute Engine ``instance-id`` or ``instance-name`` can be
            provided.
    """

    name: str = proto.Field(
        proto.STRING,
        number=1,
    )


class ListVulnerabilityReportsRequest(proto.Message):
    r"""A request message for listing vulnerability reports for all
    VM instances in the specified location.

    Attributes:
        parent (str):
            Required. The parent resource name.

            Format:
            ``projects/{project}/locations/{location}/instances/-``

            For ``{project}``, either ``project-number`` or
            ``project-id`` can be provided.
        page_size (int):
            The maximum number of results to return.
        page_token (str):
            A pagination token returned from a previous call to
            ``ListVulnerabilityReports`` that indicates where this
            listing should continue from.
        filter (str):
            This field supports filtering by the severity level for the
            vulnerability. For a list of severity levels, see `Severity
            levels for
            vulnerabilities <https://cloud.google.com/container-analysis/docs/container-scanning-overview#severity_levels_for_vulnerabilities>`__.

            The filter field follows the rules described in the
            `AIP-160 <https://google.aip.dev/160>`__ guidelines as
            follows:

            - **Filter for a specific severity type**: you can list
              reports that contain vulnerabilities that are classified
              as medium by specifying
              ``vulnerabilities.details.severity:MEDIUM``.

            - **Filter for a range of severities** : you can list
              reports that have vulnerabilities that are classified as
              critical or high by specifying
              ``vulnerabilities.details.severity:HIGH OR vulnerabilities.details.severity:CRITICAL``
    """

    parent: str = proto.Field(
        proto.STRING,
        number=1,
    )
    page_size: int = proto.Field(
        proto.INT32,
        number=2,
    )
    page_token: str = proto.Field(
        proto.STRING,
        number=3,
    )
    filter: str = proto.Field(
        proto.STRING,
        number=4,
    )


class ListVulnerabilityReportsResponse(proto.Message):
    r"""A response message for listing vulnerability reports for all
    VM instances in the specified location.

    Attributes:
        vulnerability_reports (MutableSequence[google.cloud.osconfig_v1.types.VulnerabilityReport]):
            List of vulnerabilityReport objects.
        next_page_token (str):
            The pagination token to retrieve the next
            page of vulnerabilityReports object.
    """

    @property
    def raw_page(self):
        return self

    vulnerability_reports: MutableSequence["VulnerabilityReport"] = proto.RepeatedField(
        proto.MESSAGE,
        number=1,
        message="VulnerabilityReport",
    )
    next_page_token: str = proto.Field(
        proto.STRING,
        number=2,
    )


class CVSSv3(proto.Message):
    r"""Common Vulnerability Scoring System version 3.
    For details, see
    https://www.first.org/cvss/specification-document

    Attributes:
        base_score (float):
            The base score is a function of the base
            metric scores.
            https://www.first.org/cvss/specification-document#Base-Metrics
        exploitability_score (float):
            The Exploitability sub-score equation is
            derived from the Base Exploitability metrics.
            https://www.first.org/cvss/specification-document#2-1-Exploitability-Metrics
        impact_score (float):
            The Impact sub-score equation is derived from
            the Base Impact metrics.
        attack_vector (google.cloud.osconfig_v1.types.CVSSv3.AttackVector):
            This metric reflects the context by which
            vulnerability exploitation is possible.
        attack_complexity (google.cloud.osconfig_v1.types.CVSSv3.AttackComplexity):
            This metric describes the conditions beyond
            the attacker's control that must exist in order
            to exploit the vulnerability.
        privileges_required (google.cloud.osconfig_v1.types.CVSSv3.PrivilegesRequired):
            This metric describes the level of privileges
            an attacker must possess before successfully
            exploiting the vulnerability.
        user_interaction (google.cloud.osconfig_v1.types.CVSSv3.UserInteraction):
            This metric captures the requirement for a
            human user, other than the attacker, to
            participate in the successful compromise of the
            vulnerable component.
        scope (google.cloud.osconfig_v1.types.CVSSv3.Scope):
            The Scope metric captures whether a
            vulnerability in one vulnerable component
            impacts resources in components beyond its
            security scope.
        confidentiality_impact (google.cloud.osconfig_v1.types.CVSSv3.Impact):
            This metric measures the impact to the
            confidentiality of the information resources
            managed by a software component due to a
            successfully exploited vulnerability.
        integrity_impact (google.cloud.osconfig_v1.types.CVSSv3.Impact):
            This metric measures the impact to integrity
            of a successfully exploited vulnerability.
        availability_impact (google.cloud.osconfig_v1.types.CVSSv3.Impact):
            This metric measures the impact to the
            availability of the impacted component resulting
            from a successfully exploited vulnerability.
    """

    class AttackVector(proto.Enum):
        r"""This metric reflects the context by which vulnerability
        exploitation is possible.

        Values:
            ATTACK_VECTOR_UNSPECIFIED (0):
                Invalid value.
            ATTACK_VECTOR_NETWORK (1):
                The vulnerable component is bound to the
                network stack and the set of possible attackers
                extends beyond the other options listed below,
                up to and including the entire Internet.
            ATTACK_VECTOR_ADJACENT (2):
                The vulnerable component is bound to the
                network stack, but the attack is limited at the
                protocol level to a logically adjacent topology.
            ATTACK_VECTOR_LOCAL (3):
                The vulnerable component is not bound to the
                network stack and the attacker's path is via
                read/write/execute capabilities.
            ATTACK_VECTOR_PHYSICAL (4):
                The attack requires the attacker to
                physically touch or manipulate the vulnerable
                component.
        """
        ATTACK_VECTOR_UNSPECIFIED = 0
        ATTACK_VECTOR_NETWORK = 1
        ATTACK_VECTOR_ADJACENT = 2
        ATTACK_VECTOR_LOCAL = 3
        ATTACK_VECTOR_PHYSICAL = 4

    class AttackComplexity(proto.Enum):
        r"""This metric describes the conditions beyond the attacker's
        control that must exist in order to exploit the vulnerability.

        Values:
            ATTACK_COMPLEXITY_UNSPECIFIED (0):
                Invalid value.
            ATTACK_COMPLEXITY_LOW (1):
                Specialized access conditions or extenuating
                circumstances do not exist. An attacker can
                expect repeatable success when attacking the
                vulnerable component.
            ATTACK_COMPLEXITY_HIGH (2):
                A successful attack depends on conditions
                beyond the attacker's control. That is, a
                successful attack cannot be accomplished at
                will, but requires the attacker to invest in
                some measurable amount of effort in preparation
                or execution against the vulnerable component
                before a successful attack can be expected.
        """
        ATTACK_COMPLEXITY_UNSPECIFIED = 0
        ATTACK_COMPLEXITY_LOW = 1
        ATTACK_COMPLEXITY_HIGH = 2

    class PrivilegesRequired(proto.Enum):
        r"""This metric describes the level of privileges an attacker
        must possess before successfully exploiting the vulnerability.

        Values:
            PRIVILEGES_REQUIRED_UNSPECIFIED (0):
                Invalid value.
            PRIVILEGES_REQUIRED_NONE (1):
                The attacker is unauthorized prior to attack,
                and therefore does not require any access to
                settings or files of the vulnerable system to
                carry out an attack.
            PRIVILEGES_REQUIRED_LOW (2):
                The attacker requires privileges that provide
                basic user capabilities that could normally
                affect only settings and files owned by a user.
                Alternatively, an attacker with Low privileges
                has the ability to access only non-sensitive
                resources.
            PRIVILEGES_REQUIRED_HIGH (3):
                The attacker requires privileges that provide
                significant (e.g., administrative) control over
                the vulnerable component allowing access to
                component-wide settings and files.
        """
        PRIVILEGES_REQUIRED_UNSPECIFIED = 0
        PRIVILEGES_REQUIRED_NONE = 1
        PRIVILEGES_REQUIRED_LOW = 2
        PRIVILEGES_REQUIRED_HIGH = 3

    class UserInteraction(proto.Enum):
        r"""This metric captures the requirement for a human user, other
        than the attacker, to participate in the successful compromise
        of the vulnerable component.

        Values:
            USER_INTERACTION_UNSPECIFIED (0):
                Invalid value.
            USER_INTERACTION_NONE (1):
                The vulnerable system can be exploited
                without interaction from any user.
            USER_INTERACTION_REQUIRED (2):
                Successful exploitation of this vulnerability
                requires a user to take some action before the
                vulnerability can be exploited.
        """
        USER_INTERACTION_UNSPECIFIED = 0
        USER_INTERACTION_NONE = 1
        USER_INTERACTION_REQUIRED = 2

    class Scope(proto.Enum):
        r"""The Scope metric captures whether a vulnerability in one
        vulnerable component impacts resources in components beyond its
        security scope.

        Values:
            SCOPE_UNSPECIFIED (0):
                Invalid value.
            SCOPE_UNCHANGED (1):
                An exploited vulnerability can only affect
                resources managed by the same security
                authority.
            SCOPE_CHANGED (2):
                An exploited vulnerability can affect
                resources beyond the security scope managed by
                the security authority of the vulnerable
                component.
        """
        SCOPE_UNSPECIFIED = 0
        SCOPE_UNCHANGED = 1
        SCOPE_CHANGED = 2

    class Impact(proto.Enum):
        r"""The Impact metrics capture the effects of a successfully
        exploited vulnerability on the component that suffers the worst
        outcome that is most directly and predictably associated with
        the attack.

        Values:
            IMPACT_UNSPECIFIED (0):
                Invalid value.
            IMPACT_HIGH (1):
                High impact.
            IMPACT_LOW (2):
                Low impact.
            IMPACT_NONE (3):
                No impact.
        """
        IMPACT_UNSPECIFIED = 0
        IMPACT_HIGH = 1
        IMPACT_LOW = 2
        IMPACT_NONE = 3

    base_score: float = proto.Field(
        proto.FLOAT,
        number=1,
    )
    exploitability_score: float = proto.Field(
        proto.FLOAT,
        number=2,
    )
    impact_score: float = proto.Field(
        proto.FLOAT,
        number=3,
    )
    attack_vector: AttackVector = proto.Field(
        proto.ENUM,
        number=5,
        enum=AttackVector,
    )
    attack_complexity: AttackComplexity = proto.Field(
        proto.ENUM,
        number=6,
        enum=AttackComplexity,
    )
    privileges_required: PrivilegesRequired = proto.Field(
        proto.ENUM,
        number=7,
        enum=PrivilegesRequired,
    )
    user_interaction: UserInteraction = proto.Field(
        proto.ENUM,
        number=8,
        enum=UserInteraction,
    )
    scope: Scope = proto.Field(
        proto.ENUM,
        number=9,
        enum=Scope,
    )
    confidentiality_impact: Impact = proto.Field(
        proto.ENUM,
        number=10,
        enum=Impact,
    )
    integrity_impact: Impact = proto.Field(
        proto.ENUM,
        number=11,
        enum=Impact,
    )
    availability_impact: Impact = proto.Field(
        proto.ENUM,
        number=12,
        enum=Impact,
    )


__all__ = tuple(sorted(__protobuf__.manifest))
